ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
Size

669KB
MD5

6b3ced3247b49068977a4be805854324
SHA1

1579d63100e3b44a6b9981dd4c97242b20ceba35
SHA256

ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76
SHA512

7b58806c580b7edb88308076cb182fd9cbc4028b322e9b5688b36d0478b512971970c300c324069239e1b9bce2eb650cbff93d4fa161d89f78839e48d45125c5
SSDEEP

12288:QQjNB/yfdkYTZ5soj01t6FKCpoWKmxi89PUos:QQ5NcxT7J84poWKmxB9Q

Score

10^/10

bootkit persistence upx

Malware Config

Signatures

Suspicious use of NtCreateProcessOtherParentProcess 20 IoCs

description	pid	Process	procid_target
PID 964 created 1256	964	regsougoupy.exe	16
PID 1308 created 1256	1308	regsougoupy.exe	16
PID 964 created 1256	964	regsougoupy.exe	16
PID 1308 created 1256	1308	regsougoupy.exe	16
PID 964 created 1256	964	regsougoupy.exe	16
PID 1308 created 1256	1308	regsougoupy.exe	16
PID 964 created 1256	964	regsougoupy.exe	16
PID 1308 created 1256	1308	regsougoupy.exe	16
PID 964 created 1256	964	regsougoupy.exe	16
PID 1308 created 1256	1308	regsougoupy.exe	16
PID 964 created 1256	964	regsougoupy.exe	16
PID 1308 created 1256	1308	regsougoupy.exe	16
PID 964 created 1256	964	regsougoupy.exe	16
PID 1308 created 1256	1308	regsougoupy.exe	16
PID 964 created 1256	964	regsougoupy.exe	16
PID 1308 created 1256	1308	regsougoupy.exe	16
PID 964 created 1256	964	regsougoupy.exe	16
PID 1308 created 1256	1308	regsougoupy.exe	16
PID 964 created 1256	964	regsougoupy.exe	16
PID 1308 created 1256	1308	regsougoupy.exe	16

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/memory/864-75-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral1/memory/1296-79-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft

Executes dropped EXE 10 IoCs

pid	Process
964	regsougoupy.exe
1308	regsougoupy.exe
864	RtkSYUdp.exe
1296	RtkSYUdp.exe
1328	RtkSYUdp.exe
564	RtkSYUdp.exe
1180	RtkSYUdp.exe
1156	RtkSYUdp.exe
1104	RtkSYUdp.exe
1532	RtkSYUdp.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/560-55-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral1/files/0x0007000000012721-71.dat	upx
behavioral1/files/0x0007000000012721-73.dat	upx
behavioral1/memory/864-75-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/files/0x0007000000012721-77.dat	upx
behavioral1/memory/1296-79-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/files/0x0007000000012721-81.dat	upx
behavioral1/files/0x0007000000012721-84.dat	upx
behavioral1/files/0x0007000000012721-87.dat	upx
behavioral1/files/0x0007000000012721-90.dat	upx
behavioral1/files/0x0007000000012721-93.dat	upx
behavioral1/files/0x0007000000012721-96.dat	upx
behavioral1/memory/560-104-0x0000000000400000-0x00000000004A9000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
2020	cmd.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini	RtkSYUdp.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.ico	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.tmp	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\regsougoupy.exe	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
File created	C:\Windows\RtkSYUdp.exe	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\internet explorer\version Vector	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew\Command = "rundll32.exe appwiz.cpl,NewLinkHere %1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "InternetShortcut"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ = "lnkfile"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe

Runs regedit.exe 21 IoCs

pid	Process
1216	regedit.exe
1828	regedit.exe
972	regedit.exe
976	regedit.exe
1104	regedit.exe
1620	regedit.exe
392	regedit.exe
1124	regedit.exe
1496	regedit.exe
1204	regedit.exe
772	regedit.exe
1884	regedit.exe
832	regedit.exe
768	regedit.exe
1632	regedit.exe
1180	regedit.exe
884	regedit.exe
1596	regedit.exe
848	regedit.exe
1172	regedit.exe
760	regedit.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
964	regsougoupy.exe
1308	regsougoupy.exe
964	regsougoupy.exe
1308	regsougoupy.exe
560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
964	regsougoupy.exe
1308	regsougoupy.exe
964	regsougoupy.exe
1308	regsougoupy.exe
964	regsougoupy.exe
1308	regsougoupy.exe
964	regsougoupy.exe
1308	regsougoupy.exe
964	regsougoupy.exe
1308	regsougoupy.exe
964	regsougoupy.exe
1308	regsougoupy.exe
964	regsougoupy.exe
1308	regsougoupy.exe
964	regsougoupy.exe
1308	regsougoupy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 1620	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	29
PID 560 wrote to memory of 1620	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	29
PID 560 wrote to memory of 1620	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	29
PID 560 wrote to memory of 1620	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	29
PID 560 wrote to memory of 1680	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	30
PID 560 wrote to memory of 1680	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	30
PID 560 wrote to memory of 1680	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	30
PID 560 wrote to memory of 1680	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	30
PID 560 wrote to memory of 964	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	34
PID 560 wrote to memory of 964	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	34
PID 560 wrote to memory of 964	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	34
PID 560 wrote to memory of 964	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	34
PID 560 wrote to memory of 1784	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	33
PID 560 wrote to memory of 1784	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	33
PID 560 wrote to memory of 1784	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	33
PID 560 wrote to memory of 1784	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	33
PID 560 wrote to memory of 1700	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	36
PID 560 wrote to memory of 1700	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	36
PID 560 wrote to memory of 1700	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	36
PID 560 wrote to memory of 1700	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	36
PID 964 wrote to memory of 1884	964	regsougoupy.exe	37
PID 964 wrote to memory of 1884	964	regsougoupy.exe	37
PID 964 wrote to memory of 1884	964	regsougoupy.exe	37
PID 964 wrote to memory of 1884	964	regsougoupy.exe	37
PID 964 wrote to memory of 1884	964	regsougoupy.exe	37
PID 560 wrote to memory of 1308	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	38
PID 560 wrote to memory of 1308	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	38
PID 560 wrote to memory of 1308	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	38
PID 560 wrote to memory of 1308	560	ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe	38
PID 1308 wrote to memory of 392	1308	regsougoupy.exe	41
PID 1308 wrote to memory of 392	1308	regsougoupy.exe	41
PID 1308 wrote to memory of 392	1308	regsougoupy.exe	41
PID 1308 wrote to memory of 392	1308	regsougoupy.exe	41
PID 1308 wrote to memory of 392	1308	regsougoupy.exe	41
PID 1700 wrote to memory of 864	1700	cmd.exe	42
PID 1700 wrote to memory of 864	1700	cmd.exe	42
PID 1700 wrote to memory of 864	1700	cmd.exe	42
PID 1700 wrote to memory of 864	1700	cmd.exe	42
PID 1700 wrote to memory of 1296	1700	cmd.exe	43
PID 1700 wrote to memory of 1296	1700	cmd.exe	43
PID 1700 wrote to memory of 1296	1700	cmd.exe	43
PID 1700 wrote to memory of 1296	1700	cmd.exe	43
PID 1700 wrote to memory of 1328	1700	cmd.exe	44
PID 1700 wrote to memory of 1328	1700	cmd.exe	44
PID 1700 wrote to memory of 1328	1700	cmd.exe	44
PID 1700 wrote to memory of 1328	1700	cmd.exe	44
PID 1700 wrote to memory of 564	1700	cmd.exe	45
PID 1700 wrote to memory of 564	1700	cmd.exe	45
PID 1700 wrote to memory of 564	1700	cmd.exe	45
PID 1700 wrote to memory of 564	1700	cmd.exe	45
PID 1700 wrote to memory of 1180	1700	cmd.exe	46
PID 1700 wrote to memory of 1180	1700	cmd.exe	46
PID 1700 wrote to memory of 1180	1700	cmd.exe	46
PID 1700 wrote to memory of 1180	1700	cmd.exe	46
PID 1700 wrote to memory of 1156	1700	cmd.exe	47
PID 1700 wrote to memory of 1156	1700	cmd.exe	47
PID 1700 wrote to memory of 1156	1700	cmd.exe	47
PID 1700 wrote to memory of 1156	1700	cmd.exe	47
PID 1700 wrote to memory of 1104	1700	cmd.exe	48
PID 1700 wrote to memory of 1104	1700	cmd.exe	48
PID 1700 wrote to memory of 1104	1700	cmd.exe	48
PID 1700 wrote to memory of 1104	1700	cmd.exe	48
PID 1700 wrote to memory of 1532	1700	cmd.exe	49
PID 1700 wrote to memory of 1532	1700	cmd.exe	49

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe
  "C:\Users\Admin\AppData\Local\Temp\ab8016adf55c33619a92876657b1ee0b59c6df4a95d203756ea71395e7ef5b76.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp
    3⤵
    - Modifies registry class
    - Runs regedit.exe
    PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$edbs.bat
    3⤵
    PID:1784
- - C:\Windows\regsougoupy.exe
    C:\Windows\regsougoupy.exe \??\C:\Windows\regedit.exe 1256 C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp
    3⤵
    - Suspicious use of NtCreateProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\."
      4⤵
      Executes dropped EXE
      PID:864
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\.."
      4⤵
      Executes dropped EXE
      PID:1296
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      PID:1328
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\GOOGLE~1.LNK"
      4⤵
      Executes dropped EXE
      PID:564
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\LAUNCH~1.LNK"
      4⤵
      Executes dropped EXE
      PID:1180
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\SHOWSD~1.LNK"
      4⤵
      Executes dropped EXE
      PID:1156
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1"
      4⤵
      Executes dropped EXE
      PID:1104
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\WINDOW~1.LNK"
      4⤵
      Executes dropped EXE
      PID:1532
- - C:\Windows\regsougoupy.exe
    C:\Windows\regsougoupy.exe \??\C:\Windows\regedit.exe 1256 C:\Users\Admin\AppData\Local\Temp\$rar10943.tmp
    3⤵
    - Suspicious use of NtCreateProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
    3⤵
    - Deletes itself
    PID:2020
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
      4⤵
      PID:1896
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1884
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:392
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1216
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1124
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:832
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1828
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1596
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:848
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:768
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1632
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1172
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1496
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:972
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1180
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1204
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:976
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1104
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:772
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:760
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat

Filesize
253B

MD5
cb350b29233b3440633123bb77692140

SHA1
52793f1ba4c7925d41c6e79a109080c3d12b69e6

SHA256
7031fcb0fa967101e4d4894e9ebbac7e0ed00cc3ba57777afa02f521356530d3

SHA512
0e5d3b34262260b807179d6a51e2c62524d3b0a132c05c4425830d376d1002d150aa0fd8e747a67d96b8ae8145ab903892ce3eaa8245084832eefd02b31c09b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat

Filesize
639B

MD5
b1600f55340d6b58315a32e81a4dde47

SHA1
465921b1b1613cd17addbe6c4ffd67ec51360b7c

SHA256
72d7ae26f58a3b282c372822139034f6237ad2b65571d06f930bce22da3b3898

SHA512
8a8ac3bbe6500e2dacd104b7f8d863ec7d0411801ecd8dfaf1370b6dbcbe8496683e5019d4f6292f231f6393bbed46198d38ac4b7e520f31e3b6df1b1f08f3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$edbs.bat

Filesize
59B

MD5
0cf180f20e716094bef34db0f1a39a04

SHA1
f8e9da5d8eaf347b240a77c6a9c4f494d4fc351b

SHA256
2a72298ec1d957d1d225aec50a4e6e32c5dec2f2645f25e580304e5c7ae5bb26

SHA512
a471fee35dfc685effb46fcc37d47d7210fad3fdba7cb5342b13e11f95ae7690e4053b3399bca6da7546015a479ce55a301c6934be8bab7ec9eae5aece8bdb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat

Filesize
1KB

MD5
98d7f7eb2ab8df60b86f3eab6cc2d8be

SHA1
a86c8759d8dd00f7d5d64e3c5c0d467ce1f41547

SHA256
cfc8943e4bee67b768f0c7044a094fbb8d5405333e364e87e36afa47ea57e7e0

SHA512
a00934cbd3d20e0058ef844935cc31a652a9726441307dfd776bd2cf08baa16a8004350d4690024d5e626a596823ab7a3a86d72b9cb86b681d1b8e8cda9b5668

Download Submit
C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp

Filesize
1KB

MD5
185038ec1cc9a69a109726c8989e4cf5

SHA1
bfb62037297e8533e5f3940a32fb9505acf4fe26

SHA256
48ccff6cd96445619998a70fad77f5e655a9d146b93d0d160656619728c4e727

SHA512
bb0065a36a9bc48199943b21f3c3f10916fd15aa54201513f344464d962b5e6339e1df1b932043a914a662631f842a2f3b7a2c6e8c4e414567c5ea8ac9950391

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEXPLORE.tmp

Filesize
1KB

MD5
95dd27c2cf43cedf223de080b59aafd3

SHA1
cdbba5147c3f90d4c654915058e4287c17912d52

SHA256
03a592f838c4cce08031e0bc05cfab30ef1c151220b5c6bcca8c450dabbf8332

SHA512
2f0d34f294aec5a5d3dee432bdd308940a087b63a5e2b2d89c62601b3f797e0751049f995708b821273a43342d2041d244b13e11295d04625d574cf9c2807ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\okhhhik.tmp

Filesize
3KB

MD5
b0fbee68075824aee3009fa3f5679713

SHA1
bcb89acea808c4b6027e854c4a08721ccebb5a42

SHA256
76b731f6e46411f4ea50f942f3ee80ac2dee8bda243493a6cc11ce2bf44c1af8

SHA512
de8328811297b93c27bac1a8dfb2a222e82c3a8da9f50415ba48bf65c7a866254e8c6bb70be55507268227ac230d0736a22a8d77176d5ab688ae5ee26640a934

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
C:\Windows\regsougoupy.exe

Filesize
92KB

MD5
6f028d5d5303b7d2f44ff676f6be4a21

SHA1
d7522f55db54d136e9be7ae90887591cdc03b64b

SHA256
855efd09b5e0b44499f8b4571786e352a16e8afc2456f09df76e53b6d5e700ed

SHA512
d6d7a990b0472cb0e4cf4cec0d9cddd51894a2391ebc79f0fcac7e9c4789cddccc587021dd24bde1b06bf6ac9726e5fb8d7014138bf4f9af83c3664627ac1412

Download Submit
C:\Windows\regsougoupy.exe

Filesize
92KB

MD5
6f028d5d5303b7d2f44ff676f6be4a21

SHA1
d7522f55db54d136e9be7ae90887591cdc03b64b

SHA256
855efd09b5e0b44499f8b4571786e352a16e8afc2456f09df76e53b6d5e700ed

SHA512
d6d7a990b0472cb0e4cf4cec0d9cddd51894a2391ebc79f0fcac7e9c4789cddccc587021dd24bde1b06bf6ac9726e5fb8d7014138bf4f9af83c3664627ac1412

Download Submit
C:\Windows\regsougoupy.exe

Filesize
92KB

MD5
6f028d5d5303b7d2f44ff676f6be4a21

SHA1
d7522f55db54d136e9be7ae90887591cdc03b64b

SHA256
855efd09b5e0b44499f8b4571786e352a16e8afc2456f09df76e53b6d5e700ed

SHA512
d6d7a990b0472cb0e4cf4cec0d9cddd51894a2391ebc79f0fcac7e9c4789cddccc587021dd24bde1b06bf6ac9726e5fb8d7014138bf4f9af83c3664627ac1412

Download Submit
memory/560-55-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/560-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/560-104-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/864-75-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1296-79-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download